Open Slevy35 opened 1 month ago
Thanks for reaching out. I'm not able to reproduce this, when I set AWS_PROFILE
and AWS_ROLE_ARN
, then AWS_PROFILE
is getting used, which is expected based on the configuration and credentials precedence documentation.
Also the documentation for assuming a role with web identity notes for environment variables AWS_ROLE_ARN
and AWS_WEB_IDENTITY_TOKEN_FILE
:
These environment variables currently apply only to the assume role with web identity provider. They don't apply to the general assume role provider configuration.
For further investigation, could you provide your debug logs (with any sensitive info redacted) by adding --debug
to the command?)
Greetings! It looks like this issue hasn’t been active in longer than five days. We encourage you to check if this is still an issue in the latest release. In the absence of more information, we will be closing this issue soon. If you find that this is still a problem, please feel free to provide a comment or upvote with a reaction on the initial post to prevent automatic closure. If the issue is already closed, please feel free to open a new one.
I face this issue when I use aws sso login
.
➜ .aws git:(main) ✗ aws --version
aws-cli/2.17.45 Python/3.11.9 Linux/6.10.7-arch1-1 docker/x86_64.amzn.2
$ cat ~/.aws/config
[default]
sso_session = workstation
sso_account_id = 012312312312
sso_role_name = AdministratorAccess
region = us-west-1
output = json
s3 =
use_dualstack_endpoint = true
[profile client1]
region = ap-south-1
sso_session = client1
sso_account_id = 045645645645
sso_role_name = AdministratorAccess
[sso-session workstation]
sso_start_url = https://d-123123123.awsapps.com/start
sso_region = eu-west-1
sso_registration_scopes = sso:account:access
[sso-session client1]
sso_start_url = https://d-456456456.awsapps.com/start
sso_region = ap-south-1
sso_registration_scopes = sso:account:access
Setting AWS_PROFILE
envvar does nothing. I'm having to explicitly provide --profile
switch for it to work.
Greetings! It looks like this issue hasn’t been active in longer than five days. We encourage you to check if this is still an issue in the latest release. In the absence of more information, we will be closing this issue soon. If you find that this is still a problem, please feel free to provide a comment or upvote with a reaction on the initial post to prevent automatic closure. If the issue is already closed, please feel free to open a new one.
Issue persists in version 2.17.52
If you add --debug
to your command, then you should see the order in which the CLI is looking for credentials, which is documented here: https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-configure.html. Can you share your logs (with any sensitive info redacted) for further investigation? I'm not sure that what you're describing is directly related to the original issue here, or if either case is reproducible.
Describe the bug
when using the environment variable
AWS_PROFILE
, if theAWS_ROLE_ARN
env exists the profile env is ignored. but when using the--profile
the new profile is used.Expected Behavior
AWS_PROFILE should not get override
Current Behavior
AWS_PROFILE
env is ignored ifAWS_ROLE_ARN
is setReproduction Steps
run aws configure
run aws sts get-caller-identity
Possible Solution
No response
Additional Information/Context
No response
CLI version used
aws-cli/2.17.33 Python/3.11.9 Linux/5.10.219-208.866.amzn2.x86_64 exe/x86_64.debian.11
Environment details (OS name and version, etc.)
docker image python:3.11-slim-bullseye